Thursday, April 17, 2014

Heartbleed and false equivalence

This morning I had the opportunity to listen to a bit of NPR, where a piece on Heartbleed was being discussed by Larry Mantle on Air Talk. You can read and download the piece: New report: The internet is too interconnected to fail. Medium story short: the segment and Larry have the apparent opinion that the way the collective technology industry handles these kinds of issues is "ineffective", comparing it to the the financial meltdown and its effects. I disagree, here's why.

Heartbleed is a huge "hair on fire" situation, no competent person on the tech side of things disagrees. Easily tens of thousands, perhaps hundreds of thousands of IT professionals of one kind or another spent hours or days each dealing with the fallout of Heartbleed. The total financial cost of updating/replacing every piece of software/hardware that suffers from this bug globally is easily into the $billions, spread out over millions of organizations. Some fixes were as simple as updating and restarting a few pieces of core software, others required what can only be described as major surgery. And what is the result?

The internet is recovering pretty quickly. Unlike the financial crisis, the direct cause of Heartbleed can be narrowed down to literally a half dozen lines of code or less. That code has been fixed, in some cases the "heartbeat" feature that was the source of the bug extracted completely, millions of copies of OpenSSL have been updated or replaced, and a variety of professionals who build safe and secure software have come together to make the situation better - to try and prevent this kind of thing from ever happening again. Are there still vulnerable systems? Yes. Will there be vulnerable systems in 6 months? Probably, just like there are still people using Windows XP with Internet Explorer 6. But thousands of technologically adept professionals are pushing as hard as they can to get as much fixed as absolutely possible.

Thinking back to what went on after the financial meltdown, can you see any difference? I can. The biggest that I can see is that none of the fundamental causes of the meltdown have ever been addressed. Banks are still extraordinarily under-regulated (as the Libor scandal showed), banks are still too large, banks are still trying to maximize profit via borrowing at low rates from the fed, banks are still leveraging, ... The only thing that has sort-of changed is that now the commoditization of consumer loans doesn't seem to happen anymore, and credit reporting companies are now paying better attention in those situations where commoditization occurs. But all of the fundamental things that banks do to maximize profit and to grow larger are still allowed.

While Larry may see parallels, I see almost none. The technologies underlying the internet that keeps us all connected to one another are supported and developed by passionate people who have every reason possible there could be to create and maintain a safe and secure environment for everyone. This point cannot be overstated. The people working on this do it because they know how important it is for it to be available to everyone. Some volunteer and some are underpaid. That's right, some people who design and build the core technology behind securing the majority of web servers in the world volunteer their time to make it better for everyone. If you haven't read this post from the finance guy at OpenSSL, you should.

On the other side of the coin, banks and the finance industry have no good reason to change anything, as they are still extracting immense value from the way the system is being run. Incomes among those in the finance industry are as high as they've ever been. And nothing has fundamentally changed in the finance industry to prevent anything like the meltdown from happening again.

If there is one thing to be learned from Heartbleed, it's that the global technology industry is pretty well equipped to deal with catastrophic failure. We (those of us in tech) fix the problem, prepare a variety of mitigation strategies to prevent a similar problem from happening again, and we move on to bigger and better things. We aren't done yet, but we'll get there.

Can you imagine if the finance industry was willing to fix itself to the same extent? I can't, but I'm a realist.

No comments:

Post a Comment